Versions Compared

Version Old Version 7 New Version Current
Changes made by

Nina Cardillo

Nina Cardillo

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Prior to SmartServer 4.2, the SmartServer Configuration page Firewall tab was called the Features tab.

...

The table below lists the incoming and/or outgoing service ports that are open to the outside world by default. The default is set when re-imaging the system and when transitioning the Enable Enhanced Security option from disabled to enabled. You can sort the table by clicking on the column header.

When the Enable Enhanced Security option is checked (enabled), all of the ports listed in the table are opened, except for the ports that are marked with asterisks (**). These ports are only open by default if the service is enabled in the SmartServer Configuration pages. The consequence of closing these ports is described in the column labeled Consequence of  Closing. 

Other services can be managed from the command line using ufw firewall rules. See the Disabling / Re-enabling Other Ports section below for more information. You can optionally create a backup of the following files in case you want to undo any changes to the firewall rules:

/etc/ufw/user.rules
/etc/ufw/user6.rules

Info
titleEnhanced Security is available with SmartServer 3.5 and higher


Enhanced security is enabled by default on (System Configuration page):

  • a factory-configured SmartServer that is shipped with 3.5 or higher
  • a SmartServer with 3.5 or higher after a factory reset
  • a SmartServer that is  re-imaged with 3.5 or higher

Enhanced security is disabled by default on a SmartServer that is updated to 3.5 or higher from a release prior to 3.5.

Enhanced security disables IP-852 routing. To use IP-852 routing you will need to disable Enhanced security.


PortServiceProtocolEnhanced In/OutStandard In/OutComment
BAC0-BACF, C000-FFFF  **BACnet Server (echbacnet)UDP Allowed/Blocked  Allowed/Allowed

You can enable/disable this service using the BACnet Configuration page.

This port is user-configurable.

22SSH (sshd)TCP Allowed/BlockedAllowed/AllowedSee the Disabling SSH / Port 22 section below for more information.
25SMTPTCP

Blocked/Allowed

Blocked/Allowed

Email alarm notifications and password notifications will not be sent.
53DNSTCP/UDPBlocked/AllowedBlocked/AllowedThis port is required for DNS resolution.
67



DHCP client (dnsmasq)UDP

 Allowed/Blocked

Allowed/Allowed

You can set static IP addresses using the System Configuration page.

Setting static IPs does not disable the service.

ufw/iptables cannot be blocked.

Update: /etc/ufw/before.rules

80SmartServer CMS Update

TCP

Blocked/AllowedBlocked/AllowedDefault HTTP port.
123NTPUDPBlocked/AllowedBlocked/AllowedThis port is required for system time synchronization.
502Modbus TCPTCPBlocked/AllowedBlocked/AllowedThis is the conventional port used for Modbus TCP for clients and simulators.
443

Signed Certificates

Licensing

TCP

  Blocked/Allowed

Blocked/Allowed


443

Web/Proxy Server (nginx)

TCP

Allowed/Blocked

Allowed/Allowed

Default HTTPS port.
This port is required for the SmartServer Configuration page, Local CMS, custom web pages, and custom applications using IAP/REST.

1628 – 1645 (typical default range) **LON (echlte)TCP

 Allowed/Blocked

Allowed/Allowed

Optional LON functionality: IP-852, RNI, Protocol Analyzer port.

You can enable/disable these services using the LON Configuration page.

1628 and 1629 are IANA assigned ports for LON communications over IP supporting IP-852, RNI.

This port is user-configurable.

1883 **MQTT (mosquitto)TCPAllowed/BlockedAllowed/Allowed

You can enable/disable this port using the Firewall Configuration page.

This feature will need to be re-enabled after enabling enhanced security.

2541LON (echlte)TCPAllowed/BlockedAllowed/Allowed

External IP-70

This port is always open.

5353mDNS
(avahi-daemon)		UDP

 Allowed/Blocked

Allowed/AllowedmDNS/ ZeroConf/Bonjour DNS service will not find the SmartServer (e.g., hostname.local). You will need to use an IP address or some other DNS service.
8883 **MQTT (mosquitto)TCPAllowed/BlockedAllowed/Allowed

INE requires a certificate and credentials to be configured in order to connect.

You can enable/disable this port using the Firewall Configuration page.

This feature will need to be re-enabled after enabling enhanced security.

8883 **MQTT (mosquitto)TCPBlocked/AllowedBlocked/AllowedYou can enable/disable this port using the System Configuration page → Enable Remote CMS.

41797 **


BACnet Server (echbacnet)UDPAllowed/BlockedAllowed/Allowed

You can enable/disable this service using the BACnet Configuration page. 

This feature will need to be re-enabled after enabling enhanced security.

47808 **BACnet Server (echbacnet)UDPAllowed/BlockedAllowed/Allowed

You can enable/disable this service using the BACnet Configuration page. 

This feature will need to be re-enabled after enabling enhanced security.

49152 – 65535 **IANA ephemeral UDP port rangeUDP

 Blocked/Allowed

Blocked/Allowed

These ports are used dynamically by clients such as YABE (Yet Another BACnet Explorer) for BACnet as their source port while they have an established connection to the SmartServer.

You can configure these ports using the BACnet Configuration page. 

55000 (default) **OPC UA Server (echopcua)TCP

 Allowed/Blocked

Allowed/Allowed

You can disable this service using the OPC UA Configuration page. OPC UA can be configured to require authentication.

This port is user-configurable.

All other portsMultipleTCP/UDP

 Blocked/Blocked

Blocked/Allowed

...

The table below lists internal services/ports. There are no firewall rules exposing these internal services/ports to external interfaces. You can sort the table by clicking on the column header.

Warning
titleManaging internal ports

Attempting to modify or restrict these ports may compromise the functionality of the SmartServer applications.

...

PortServiceProtocolEnhanced In/OutStandard In/Out
53DNS (dnsmasq)TCPAllowed/BlockedAllowed/Allowed
53DNS (dnsmasq)UDPAllowed/BlockedAllowed/Allowed
1099Local CMS if active
(jmx)		TCPAllowed/BlockedAllowed/Allowed
1629 (IP-70)LON (echlte)UDPAllowed/BlockedAllowed/Allowed
1880

Node-Red (node-red)

TCP

Allowed/Blocked

Allowed/Allowed
3200Local CMS if active
(mqtt)		TCPAllowed/BlockedAllowed/Allowed
5432Local CMS if active
(pgsql)		TCPAllowed/BlockedAllowed/Allowed
6379Local CMS if active
(redis)		TCPAllowed/BlockedAllowed/Allowed
8101

Local

CMS if active
(karaf

CMS if active
(cms for SmartServer 4.4 and higher,
karaf for SmartServer 4.3 and prior)

TCPAllowed/BlockedAllowed/Allowed
8181Local CMS if active
(jetty)		TCPAllowed/BlockedAllowed/Allowed
9001

Supervisor (python)

TCP

Allowed/Blocked

Allowed/Allowed
9090Reboot Manager (python3)TCPAllowed/BlockedAllowed/Allowed
44444Local CMS if active
(jmx)		TCPAllowed/BlockedAllowed/Allowed
dynamic
(see note below)

Reboot Manager (python3)


TCP

Allowed/Blocked

Allowed/Allowed
dynamic
(see note below)

Local CMS if active
(jmx)

TCPAllowed/BlockedAllowed/Allowed
dynamic
(see note below)

Local CMS if active
(pgsql)

UDPAllowed/BlockedAllowed/Allowed

...

  1. Log into the SmartServer console using USB or SSH.

  2. Enter the following command to view current firewall rules:

    Code Block
    sudo ufw status numbered


  3. Take note of the rule number for SSH port 22.



  4. Delete the rule for SSH port 22 using the following command (may require sudo password):

    Code Block
    sudo ufw delete <rule number for port 22>

    The following confirmation prompt appears:

    Code Block
    Proceed with operation (y|n)?


  5. Enter y and press RETURN.

    Once the rule number for port 22 is deleted, SSH connection attempts will timeout and fail to connect.


    Example: disables the SSH port 22

    Info
    titleDisabling SSH service

    You can also disable the SSH service; however, this service will be re-enabled after upgrading or re-imaging the SmartServer. To disable the SSH service, enter the following commands:

    Code Block
    sudo systemctl disable ssh
sudo systemctl stop ssh



...

Note

The CMS Export using the Import/Export button may not use the new HTTPS port. In this case, once the export times out, add the HTTPS port to the URL. 

After you change the HTTP and HTTPS ports, if you do a "Restore restore to factory" this will change the ufw ports back to defaults, but doesn't does not change the apollo.conf file and so . Therefor, even though you can ping the SmartServer, you will not be able to access the SmartServer Configuration Page page or CMS Web page until you change the apollo.conf file back to the default settings (see step 2 below). 

...

To change both of these ports you have to do the following:

  1. Backup the /etc/nginx/sites-available/apollo.conf.  Use ssh/console (use apollo login) or SFTP (requires root login).
     

    Code Block
    titleMaking a copy of apollo.conf using console/ssh
    ls -l /etc/nginx/sites-available/
sudo cp /etc/nginx/sites-available/apollo.conf /etc/nginx/sites-available/apollo.conf.old
ls -l /etc/nginx/sites-available/


  2. Change three lines in the apollo.conf file. To use nano, log in as apollo "sudo

    Code Block
    titleConsole/SSH using nano
    sudo nano /etc/nginx/sites-available/apollo.conf

    1. default Default settings are as follows: 

      Code Block
      titleapollo.conf default settings for HTTP (80) ports
      listen                  80 default_server;
listen             [::]:80 default_server ipv6only=on;


      Code Block
      titleapollo.conf default settings for HTTPS (443) ports
      listen                  443 ssl;


    2. After HTTP port is changed from port 80 to port 1780, and after HTTPS port changed from 443 to 1443.

      Code Block
      titleapollo.conf default settings for HTTP (1780) ports
      listen                  1780 default_server;
listen             [::]:1780 default_server ipv6only=on;


      Code Block
      titleapollo.conf default settings for HTTPS (1443) ports
      listen                  1443 ssl;


    3. save Save the file.

    4.  Verify Verify changes.

      Code Block
      titleVerify the change were made
      cat /etc/nginx/sites-available/apollo.conf

:
server {
    # listen on HTTP port(s) (this is the default server)
    # NOTE: Only use non-SSL ports for debugging!
    listen                  1680 default_server;
    listen             [::]:1680 default_server ipv6only=on;
    server_name "";
    return 301 https://$host$request_uri;
}

server {
    # listen on IPv4 HTTPS port (using a self-signed certificate)
    # DOC: <http://nginx.org/en/docs/http/configuring_https_servers.html>
    # DOC: <http://www.akadia.com/services/ssh_test_certificate.html>
    listen                  1443 ssl;

:


  3. See Determine what ports are open.

    1. Enter the following command:

      Code Block
      sudo ufw status numbered 


      Image Modified

      Each port number can have multiple entries and can be input or outputs.

  4. Open new ports for HTTP (1780) and HTTPS (1443). Remove the port 80 and 443 IN ports, but keep the port 80 and 443 Output ports.   The port 80 and 443 output entries are used by the SmartServer internal applications to access external servers and should not be changed. 

    Code Block
    titleClose some port 80 and 443 entries, and add new 1780 and 1443 port entries
    sudo ufw allow 1780
sudo ufw allow 1780/tcp
sudo ufw allow out 1680/tcp
sudo ufw allow 1443/tcp
sudo ufw allow 1443
sudo ufw allow out 1443/tcp

sudo ufw delete allow 80/tcp
sudo ufw delete allow 443
sudo ufw delete allow 443/tcp


  5. Verify that port setting are correct. Make sure "that 80/tcp ALLOW OUT" and " and 443/tcp ALLOW OUT" are  are still allowed.

    Code Block
    titlePorts open after changes
    $ sudo ufw status numbered
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 22/tcp                     ALLOW IN    Anywhere
[ 2] 5353/udp                   ALLOW IN    Anywhere
[ 3] 2541/udp                   ALLOW IN    Anywhere
[ 4] 2541/udp                   ALLOW OUT   Anywhere                   (out)
[ 5] Anywhere on lo             ALLOW IN    Anywhere
[ 6] Anywhere                   ALLOW OUT   Anywhere on lo             (out)
[ 7] Anywhere                   DENY IN     127.0.0.0/8
[ 8] 53/udp                     ALLOW OUT   Anywhere                   (out)
[ 9] 5353/udp                   ALLOW OUT   Anywhere                   (out)
[10] 80/tcp                     ALLOW OUT   Anywhere                   (out)
[11] 443/tcp                    ALLOW OUT   Anywhere                   (out)
[12] Anywhere                   ALLOW OUT   Anywhere on ip70           (out)
[13] 123/udp                    ALLOW OUT   Anywhere                   (out)
[14] 25/tcp                     ALLOW OUT   Anywhere                   (out)
[15] 502/tcp                    ALLOW OUT   Anywhere                   (out)
[26] 1443                       ALLOW IN    Anywhere
[17] 1628/udp                   ALLOW IN    Anywhere
[18] 1628/udp                   ALLOW OUT   Anywhere                   (out)
[19] 1883 on eth0               ALLOW IN    Anywhere
[20] 8883 on eth0               ALLOW IN    Anywhere
[21] 1780/tcp                   ALLOW IN    Anywhere
[22] 1780/tcp                   ALLOW OUT   Anywhere                   (out)
[23] 1780                       ALLOW IN    Anywhere
[24] 1443/tcp                   ALLOW IN    Anywhere
[25] 1443/tcp                   ALLOW OUT   Anywhere                   (out)


  6. Reboot the SmartServer.

...